Re: BUG: unable to handle kernel NULL pointer dereference in ipv6_select_ident

From: Chris Boot
Date: Wed Dec 21 2011 - 16:58:37 EST


On 21/12/2011 20:52, Eric Dumazet wrote:
Le mercredi 21 dÃcembre 2011 Ã 21:28 +0100, Eric Dumazet a Ãcrit :
Le mercredi 21 dÃcembre 2011 Ã 20:05 +0000, Chris Boot a Ãcrit :
On 21/12/2011 18:00, Eric Dumazet wrote:
Le mercredi 21 dÃcembre 2011 Ã 18:36 +0100, Eric Dumazet a Ãcrit :

Good point, thats a different problem then, since 3.1 is not supposed to
have this bug.

It seems rt->rt6i_peer points to invalid memory in your crash.

(RBX=00000000000001f4)

8b 83 a4 00 00 00 mov 0xa4(%rbx),%eax p->refcnt
1f4+a4 -> CR2=0000000000000298

It would help if you can confirm latest linux tree can reproduce the
bug.
Hi Eric,

I just built a v3.2-rc6-140-gb9e26df with the same config as the Debian
3.1.0 kernel. I can reproduce the bug just as easily with this kernel as
with the Debian kernel. Unfortunately I wasn't able to get an entire
trace, for some reason it didn't appear to be printed to the serial port
and hung after the (long) list of loaded kernel modules. The crash
happens at the same offset:

Thanks !

Oh well, br_netfilter fake_rtable strikes again.

I'll cook a patch in a couple of minutes...

Could you try following patch ?

[snip]

Eric,

It looks good! The rsync that caused the crash real quick hasn't done it at all with the patch applied. I'll keep testing it of course, but I think that's done it.

Many thanks indeed!

Chris

--
Chris Boot
bootc@xxxxxxxxx

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/